summarylogtreecommitdiffstats
path: root/nginx-ssl.example.conf
blob: a37c2447634ab0e455488e8884be314efc18bafe (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56


    server {
        # server_name YOUR_SERVER_FQDN; ## uncomment replace this with something like www.example.com
	listen  443;
	
	server_tokens off; ## Don't show the nginx version number, a security best practice
	root /var/lib/nginx/http
    
	## Strong SSL Security
	## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
	##
	## Generate a strong SSL-Certificate and DHE parameter:
	## openssl genrsa -out /etc/ssl/private/zarafa.key 4096
	## openssl req -new -sha512 -key /etc/ssl/private/zarafa.key -out /tmp/zarafa.csr
	## openssl x509 -req -days 3650 -in /tmp/zarafa.csr -signkey /etc/ssl/private/zarafa.key -out /etc/ssl/private/zarafa.crt
        ## openssl dhparam -out /etc/ssl/private/zarafa.dh 4096
	## chmod go-rwx /etc/ssl/private/zarafa.*;
	## chmod u+rw /etc/ssl/private/zarafa.*
	## chown root:root /etc/ssl/private/zarafa.*
	##
	ssl on;
	ssl_certificate_key /etc/ssl/private/zarafa.key;
	ssl_certificate /etc/ssl/private/zarafa.crt;
	ssl_dhparam /etc/ssl/private/zarafa.dh;

	## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
	## The recommended cipher suite for backwards compatibility (IE6/WinXP):
	ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;
    
	## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
	## Replace with your ssl_trusted_certificate. For more info see:
	## - https://medium.com/devops-programming/4445f4862461
	## - https://www.ruby-forum.com/topic/4419319
	## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
	## - https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
	## - http://freiburg79.de/ocsp-stapling-mit-nginx/
	# ssl_stapling on;
	# ssl_stapling_verify on;
	# ssl_stapling_file /etc/ssl/private/de-autorisation-m.ocsp;
	# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
	# resolver_timeout 5s;

        # HIDDEN FILES AND FOLDERS
        rewrite ^(.*)\/\.(.*)$ @404 break;

        location = @404 {
            return 404;
        }
	
	include ${PATH_TO_ATTACHED_LOCATION_FILE};
	include ${PATH_TO_ANOTHER_LOCATION_FILE};
    }